Trusted Execution Environment

ABSTRACT

A trusted execution environment on a computing device within an enterprise, whether owned by the enterprise or the employee/user, allows invocation of trusted enterprise applications without hindering external or non-enterprise apps from running on the same computing device. Each of the trusted apps can interact with other trusted apps on the same enterprise computing device in a trusted manner such that other apps or untrusted network connections are prevented for access to the trusted apps. The computing device, however, also executes non enterprise applications which operate independently of the enterprise apps in the same address space using the same unmodified operating system as the enterprise apps on the computing device. The trusted execution environment therefore restricts interprocess communication to be only within the set of enterprise apps and also permits unimpeded operation of other apps under the same OTS (off the shelf) operating system.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/007,547 filed Jan. 27, 2016 by James Seibel, et al. entitled,“Trusted Execution Environment”, which is incorporated by referenceherein as if reproduced in its entirety.

BACKGROUND

Computer security, particularly to safeguard the proprietary andsensitive data of corporations and other enterprises, has becomeincreasingly scrutinized as more and more data travels electronicallyover public access networks. An enterprise or other organization,however, with many employees or members presents a particularvulnerability, as any user may be leveraged to obtain access. Further,such enterprises may employ a common set of applications on computingdevices of each individual user. It is problematic to mandate andenforce exclusive corporate usage of these personal devices; as apractical matter, little control can be exercised over a machine in auser/employee's possession. Additional applications and activitiesundertaken by users can interfere with and/or compromise enterpriseactivities on the computing device due to common execution environmentsshared by the enterprise apps and user supplied apps, resulting in avulnerability that rests upon the integrity of extraneous apps loaded bythe user.

SUMMARY

A trusted execution environment on an enterprise-enabled computingdevice, whether owned by the enterprise or the user/employee,hereinafter called an “enterprise computing device”, allows invocationof a suite of secure enterprise applications (apps) on a device withouthindering external or non-enterprise apps from running on the sameenterprise computing device. Each of the enterprise computing devicesexecutes the suite of secure enterprise apps, which interact with eachother in a trusted manner such that outside apps or network connectionsare prevented from accessing the enterprise apps. The enterprisecomputing device, however, also executes non enterprise applicationswhich operate independently of the enterprise apps in the same addressspace, and which can communicate with other non-enterprise apps, andusing the same unmodified operating system as the enterprise apps on theenterprise computing device. The trusted execution environment thereforerestricts interprocess communication only between the set of enterpriseapps and non-enterprise apps, and also permits unimpeded operation ofother apps under the same OTS (off the shelf) operating system.

Configurations herein are based, in part, on the observation thatcorporations and other enterprises often employ a dedicated suite ofapplications or apps for handling proprietary data. Employees or membersof the enterprise desire to invoke the enterprise application suite on aportable computing device along with other apps that are not directed toproprietary data. Unfortunately, conventional approaches to providing asecure or trusted application space, such as for executing theenterprise apps, suffer from the shortcoming that changes are requiredto the native operating system (OS) or conditionally assessing attemptedmemory accesses or memory partitions. Usage of a modified or custom OSpresents cost and logistical issues with deployment, as well ascompatibility issues with execution of other apps that are not in thededicated suite.

Accordingly, configurations herein substantially overcome theabove-described shortcomings by providing a trusted application space ona portable computing device for concurrent execution of trusted appswith other user selected or general apps with an unmodifiedoff-the-shelf (OTS) OS for maintaining compatibility and avoidingdeployment of a custom, trusted operating system.

In further detail, configurations herein provide a trusted executionenvironment under an unmodified, off-the-shelf (OTS) operating system ona mobile computing device by loading a plurality of applications intothe memory of an execution environment on the computing device. Theexecution environment on the computing device has memory, a processor, afile system and a network interface, and communicates securely bydesignating a communication association between one of the loadedapplications and a related application of the plurality of loadedapplications. The method detects, by any of the loaded applications, anattempt to communicate with a recipient application of the loadedapplications defining a trusted set or suite of apps. The attemptedcommunication is disallowed if the applications do not have a designatedcommunication association. Implementation on an unmodified, OTS OSallows loading one or more other applications into the executionenvironment, such that the other applications that are not designated astrusted are prevented from communicating with any of the trustedapplications.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, features and advantages of theinvention will be apparent from the following description of particularembodiments of the invention, as illustrated in the accompanyingdrawings in which like reference characters refer to the same partsthroughout the different views. The drawings are not necessarily toscale, emphasis instead being placed upon illustrating the principles ofthe invention.

FIG. 1 is a prior art system for controlling application memory access;

FIG. 2 is a context diagram of an enterprise environment suitable foruse with configurations herein;

FIG. 3 is an architecture diagram of a computing device in theenvironment in FIG. 2;

FIG. 4 shows a block diagram of the computing device in FIG. 3 accordingto configurations herein; and

FIGS. 5A and 5B are a flowchart of application (app) execution in thecomputing device of FIG. 4.

DETAILED DESCRIPTION

Depicted below is an example of an enterprise having a plurality ofportable computing devices, as might be used by employees of theenterprise, each exhibiting a secure execution environment. Examples ofcommunication between apps in the secure execution environment depictparticular features, however should not be taken to limit approaches ofthe invention as claimed herein. Various organizational settings mayelect computing devices having a secure execution environment in astationary, mobile, portable, handheld or other physical configuration.

The applications, or apps, as described represent an executable entitylaunched in the memory space of a computing device. The computingdevices have an operating system such as Android™, IOS (iPhone®Operating System), WINDOWS®, Linux or other suitable platform, howeverit should be emphasized that the techniques disclosed herein areindependent of the native OS and do not impose or require changes to theunderlying OS of the computing device. The disclosed approach alsoemploys off-the-shelf applications, such that loaded apps do not requirea specialized version for compatibility with the disclosed approach.

An example configuration depicted herein provides an environment forsecure applications to communicate with each other in the presence ofother insecure apps. This is implemented within the applicationsthemselves, and therefore does not rely on the operating system toprovide a special trusted container. Individual processes in the trustedexecution environment are wrapped to provide interception of systemcalls which affect communication with and invocation of other processes.

The trusted execution environment is overseen by a monitor process, or“keystore” application that manages communication between secureapplications. Encryption keys are managed and distributed via thekeystore application. The keystore application has an Access ControlList (ACL) or other repository that indicates which applications cancommunicate with each other. Each application has a unique ID that ismapped to a list of IDs of other applications. A trusted application canonly communicate with an application that is in its ACL.

When an application is installed, the keystore application generates anew encryption key for it. Various key generation mechanisms such asDiffie-Hellman are used to establish a trusted inter-processcommunication channel between the newly installed application and thekeystore application (KA) in order to transfer the key. An applicationthat wants to communicate with another application generally has twooptions. Either a direct communication channel can be established, orthe app can write a file to disk that is read by another.

For example, when an application A tries to read a file created by adifferent application B, it reads the file's key ID from plaintext filemetadata, then queries the KA for the correct decryption key. Ifapplication A's unique ID does not have an ACL entry for Application B,the KA denies access. If it has access, the decryption key is returnedover the secure inter-process communication channel.

When an application wants to communicate directly, a secure IPC channelbetween the two is established using AES GCM encryption using a commonkey retrieved from the KA or another suitable encryption mechanism. Inthis manner, secure sharing of encrypted files and IPC communicationscan occur between the trusted apps, managed by the keystore applicationthat limits access.

FIG. 1 is an example of a prior art system for controlling applicationmemory access. Referring to FIG. 1, a conventional computer 10 foroperating a trusted process or address space maintains partitions orregions of memory 12 designated as “trusted.” A CPU 30 directs memoryaccesses responsive to the OS 26, which occupies a high or low addressregion of memory (high address region in the example shown). Anuntrusted portion 20 maintains no particular supervisory control. Atrusted memory portion 24 occupies the region below the OS 26, and afree portion 22 is allocated as processes in the untrusted 20 andtrusted 24 portions grow towards each other.

The conventional operating system 26, before permitting a memory accessby the CPU, checks the access to ensure it does not violate the trustedmemory region 24. A memory access 40 from a process in the untrustedportion 20 to another process in the untrusted region 20 is allowed, asis a memory access 42 from the trusted region 24 to the trusted region24. However, an access attempt 44 from the untrusted portion 20 to thetrusted region 24 is disallowed, as shown by the “X” on purported access44. The operating system, however, is required to take an integral rolein scrutinizing each memory access to ensure the trusted memory portion24 remains inaccessible to the untrusted portion 20. This generallyrequires a specialized operating system, or at least modifications to astandard operating system, for scrutinizing each memory access. Runtimeperformance implications are also imposed as each memory access triggersa range check. It would be beneficial to provide a trusted executionenvironment which allows trusted processes to communicate with othertrusted processes, or apps, on an unmodified, vendor supplied OTS OS.

FIG. 2 is a context diagram of an enterprise environment suitable foruse with configurations herein. Referring to FIG. 2, in an enterprisesetting 100 such as a corporation or business having employees using aparticular set or suite of apps for handling proprietary, or corporatesensitive, information invokes a number of portable computing devices110-1 . . . 110-N (110 generally) for each employee. The computingdevices 110 may be tablets, laptops, handheld or phone type devices, ormay even be more stationary devices such as desktop computers. Each ofthe computing devices 110 executes apps 150-1 . . . 150-N (150generally), which send messages 140-1 . . . 140-N (140 generally) toother apps 150 on the same or other computing devices 110, which may beremotely accessible over a public infrastructure network 132 such as theInternet. Each of the apps 150 is generally defined by a process runningunder the OS, however more complex apps may include more than oneprocess. Messages 140 deemed trusted (140-1 . . . 140-4), as will bediscussed further below, are permitted to be received by a recipientapp, while untrusted messages 140-5 are disallowed.

FIG. 3 is an architecture diagram of a computing device 110 in theenvironment in FIG. 2. The computing device 110 typically includes aprocessor 130, memory 112, a file system 114 for accessing a storagevolume 116, and a network interface 118 for accessing the network 132.Each of the computing devices 110 employs a trusted executionenvironment 160 for launching and executing the apps 150. The trustedexecution environment 160 includes a set of processes, or apps, 150-10 .. . 150-12 in this example, including a wrapping layer 152 formonitoring messages and other accesses invoked by the process 150, asdisclosed in further detail in copending U.S. patent application Ser.No. 14/208,068, filed Mar. 13, 2014, entitled “MODIFICATION OF COMPILEDAPPLICATIONS AND APPLICATION MANAGEMENT USING RETRIEVABLE POLICIES,”incorporated herein by reference. Each of the processes 150 in thetrusted group 150-N may communicate with other processes in the trustedgroup 150-N, as shown by message paths 154. Untrusted processes 153outside the trusted group 150-N may not communicate with the trustedprocesses 150, as shown by blocked paths 155. The trusted executionenvironment 160 identifies an attempt to communicate with any of theapps 150 in the execution environment, and disallows the communicationif a corresponding communication association is not found. In thismanner, any number of apps, or processes, may be concurrently loadedinto the same memory space 112 for invocation by the user, within thehardware limits of the device 110. The trusted environment disclosedherein prevents the trusted apps 150 from being accessed by any of theuntrusted apps 153, without any other restrictions on execution ormemory ranges in which each group (150, 153) of apps may reside.

FIG. 4 shows a block diagram of the computing device in FIG. 3 accordingto configurations herein. Referring to FIGS. 2-4, the executionenvironment 160 on each of the trusted computing devices 110 includes akeystore application (KA) 170 for distributing keys for allowinginterprocess communication between the processes 150 in the trustedgroup 150-N of apps. The KA securely holds all of the application keyswhen the trusted environment is not active, e.g., when the device isasleep or before a trusted app 150 has been started. When a trusted app150 starts, it retrieves the corresponding file system and IPC keys fromthe KA. [Ed. Note: The keystore does not monitor IPC, it merely controlsaccess to the keys that enable communication, and thereby controls whichapps can communicate.]

The KA 170 maintains an association table 172 for defining accesscontrol between the apps 150. The association table 172 includes entries174-1 . . . 174-N (174 generally) for denoting related apps 150 whichmay communicate with each other. Each entry 174 defines an app 180 and arelated app 182 to which communication may be performed, denoted by appIDs or other unique identifier for identifying the app 150 on thecomputing device 110. Associations may be bidirectional orunidirectional depending on how the control system is implemented inalternate configurations. To support a unidirectional association, thetable 172 may define source and destination apps, for example. Theassociation entries 174 may also include a key 184 which is employed forencrypting data transferred between the processes. In a particularconfiguration, an app may have a master key which is then used tocompute a file specific key for writing files 216 to and reading files216 from the file system 116, as discussed further below.

Each app 150 may generally invoke one of three modes of interprocesscommunication (IPC): in-memory, file transfer, or network transmission.For example, continuing to refer to FIG. 4, the app 150-1 intends tocommunicate with another app 150-2 on the same device, as shown by arrow200. The KA 170 examines the association table 172 for an entry 174designating the apps 150-1, 150-2 as related, and thus permitted tocommunicate. Generally a match between an app ID of the apps 150-1,150-2 and the app 180 and related apps 182 fields is performed, howeverother implementation such as a list of app IDs associated with aparticular app 150 may be provided.

Control of in-memory IPC, which may be any suitable IPC mechanism assupported by the OS, such as shared memory or sockets, within thetrusted app space can be achieved in either of two modes, a permissivemode, or a restrictive mode. In the permissive mode, when two apps 150-1and 150-2 first want to communicate, they each request a key from the KA170, arrows 205 and 220 in FIG. 4, then retain the common key in theirprivate memory as long as each app is running. The stored key is thenused to encrypt and decrypt any messages 200 between the two apps.

In the restrictive mode of in-memory IPC, continuing to refer to FIG. 4,app 150-1 initiates a message transmission to app 150-2 by a requestexchange with the KA 170, as shown by arrows 205. The KA 170 performs alookup in the association table 172, and identifies key 1 correspondingto the association between apps 150-1 and 150-2, from the key column184. The sending app 150-1 encrypts a message 214 with the retrieved key1, and writes the encrypted message 214 to an IPC channel 230 such asshared memory or other mechanism. The receiving app 150-2 queries the KA170 for authority to receive communications from app 150-1, and uponpositive verification also receives key 1, as shown by arrows 220. App150-2 reads the encrypted message 214 from the IPC channel 230, and usesthe received key 1 to decrypt the message. It should be noted thatimplementation of the restrictive mode of IPC control would likely havea performance impact with current hardware and OS choices.

The file system 116 generally serves the entire device 110 includingboth the trusted apps 150 and the untrusted apps 153. A trusted app 150(the author app) creates a unique identifier for each file 216 that itwrites to disk, and encrypts the contents of the file 216 using analgorithm that takes its master key 184 and the file identifier asinputs. The KA can provide the decryption key for the file 216 toanother trusted app 150 (the recipient app) that is allowed access (perthe association table 172) since it has the author app's master key 184and the same algorithm for creating the file key. The KA uses the authorkey and the file 216 identifier to generate the decryption key which itpasses to the recipient app. The resulting key allows communicationbetween the author and recipient only through that particular file. Inthis manner, learning a file-specific key only exposes access to thatone file.

When using network transmission, a trusted app 150 cannot encrypt themessages it sends or decrypt those it receives since it cannot assume acommon keystore application between it and the remote system. Referringto FIG. 4, any messages 240 the trusted app 150 sends through the publicInternet 132 must be secured through use of a virtual private network(VPN) that encrypts the network traffic and is only accessible to thetrusted apps and trusted remote clients or servers.

FIGS. 5A and 5B are a flowchart of application (app) execution in thecomputing device of FIG. 4. Referring to FIGS. 2-5B, at step 500, themethod of providing a trusted execution environment 160 in a mobilecomputing device 110 as disclosed herein includes loading a plurality oftrusted applications into the memory 112 of an execution environment160, in which the execution environment has memory 112, a processor 130,a file system 114 and a network interface 118. In addition, at least oneother (untrusted) application 153 may be loaded into the executionenvironment 160, such that the one other application is prevented fromcommunicating with any of the trusted applications 150, as disclosed atstep 501. Both trusted 150 and untrusted 153 applications can thereforecoexist in the same address region and access the same file store 114,and execute on an unmodified OTS OS, without permitting the untrustedapplications 153 to access or message the trusted applications 150.

Accordingly, in the example configuration, detecting an attempt tocommunicate includes wrapping the applications in the set of trustedapplications, and leaving the other applications unmodified, such thatthe wrapped applications are operable in the execution environment 160responsive to an unmodified operating system, as depicted at step 502.Wrapping may be performed by any suitable method, such as uponinstallation in the host device, by binding with DLLs (Dynamic LinkLibrary), upon loading in preparation for launch, or other suitablemechanism, as disclosed more fully in the copending application citedabove.

The execution environment 160 designates a communication associationbetween one of the trusted applications and a related application of theplurality of trusted applications, as shown at step 510. In the exampleconfiguration, this includes storing the designated communicationassociations in an association table accessible by the KA 170, such thatthe KA 170 is configured to receive an identity of a trusted application150, and indicate if a communication association exists with anotherapplication 150 in the execution environment 160, as depicted at step511. The association table 172 includes a set of entries 174, in whicheach entry has an indication of one of the applications of the pluralityof the applications and an identity of the related application to whichthe application may communicate, as shown at step 512. Alternaterepresentations, such as lists, may also be employed.

The application wrapper 152 controls access to system calls and otherinvocations which could be used to access or transmit sensitive datafrom the wrapped app 150. The wrapper 152 detects an attempt tocommunicate by identifying file accesses, IPC accesses and networkaccesses for each of the trusted applications, such that the trustedapplications 150-N define a set of trusted applications operable forcommunication only with other applications in the set of trustedapplications exclusive of other applications in the memory (i.e.untrusted apps 153) outside the set of trusted applications.

A check is performed, at step 522, to determine if a communicationassociation exists between the apps 150 in questions. If no match isfound, than at least one of the apps 150 is not trusted, or in thetrusted set. The KA 170 disallows the attempted communication if theapplications do not have a designated communication association, asdepicted at step 530. No keys are sent from the KA, removing an abilityfor the purported recipient app to interpret the transmitted message.

Otherwise, if the check at step 522 indicates that a communicationassociation exists, the sending app identifies a message fortransmission between the associated applications. The KA 170 generates akey based on the identity of the related application to whichcommunication is attempted, as depicted at step 550. The sending app 150transmits, using the computed key, the identified message to therecipient application 150, as shown at step 560.

If the transmission mode was via file transfer, then transmittingfurther includes writing the identified message to the file 216, suchthat the contents of the file 216 are encrypted using the generated key,as disclosed at step 561, and transmitting the generated key to therecipient application from the KA 170, such that the KA 170 is operableto store and retrieve the designated communication associations, asdepicted at step 562.

The recipient app 150 receives the computed key at the recipientapplication for decrypting the generated message, as shown at step 563reads the file 216 and decrypts the message using the transmitted key,as disclosed at step 564.

It will be appreciated by those skilled in the art that alternateconfigurations of the disclosed invention include a multiprogramming ormultiprocessing computerized device such as a workstation, handheld orlaptop computer or dedicated computing device or the like configuredwith software and/or circuitry (e.g., a processor as summarized above)to process any or all of the method operations disclosed herein asembodiments of the invention. Still other embodiments of the inventioninclude software programs such as a Java Virtual Machine and/or anoperating system that can operate alone or in conjunction with eachother with a multiprocessing computerized device to perform the methodembodiment steps and operations summarized above and disclosed in detailbelow. One such embodiment comprises a computer program product that hasa computer-readable storage medium including computer program logicencoded thereon that, when performed in a multiprocessing computerizeddevice having a coupling of memory and a processor, programs theprocessor to perform the operations disclosed herein as embodiments ofthe invention to carry out data access requests. Such arrangements ofthe invention are typically provided as software, code and/or other data(e.g., data structures) arranged or encoded on a non-transitory computerreadable storage medium such as an optical medium (e.g., CD-ROM), floppyor hard disk or other medium such as firmware or microcode in one ormore ROM, RAM or PROM chips, field programmable gate arrays (FPGAs) oras an Application Specific Integrated Circuit (ASIC). The software orfirmware or other such configurations can be installed onto thecomputerized device (e.g., during operating system execution or duringenvironment installation) to cause the computerized device to performthe techniques explained herein as embodiments of the invention.

While the system and methods defined herein have been particularly shownand described with references to embodiments thereof, it will beunderstood by those skilled in the art that various changes in form anddetails may be made therein without departing from the scope of theinvention encompassed by the appended claims.

What is claimed is:
 1. A method of providing an execution environment ina computing device, comprising: loading a plurality of trustedapplications into a memory of the computing device; maintaining, in thememory, a plurality of communication associations, wherein eachcommunication association of the plurality of communication associationscomprises a first identifier for a first application and a secondidentifier for a second application; detecting an attempt to communicatewith a recipient application by an originating application, therecipient application being selected from the plurality of trustedapplications; searching through the plurality of communicationassociations for a communication association comprising an identifier ofthe recipient application and an identifier of the originatingapplication; and upon failing to find the communication associationcomprising the identifier of the recipient application and theidentifier of the originating application, disallowing thecommunication.
 2. The method of claim 1 further comprising loading atleast one untrusted application into the execution environment, the atleast one untrusted application being prevented from communicating withany of the trusted applications.
 3. The method of claim 1 furthercomprising: identifying a message for transmission between theoriginating application and the recipient application; generating a keybased on the identity of the recipient application; transmitting, usingthe generated key, the identified message to the recipient application;and receiving the generated key at the recipient application fordecrypting the generated message.
 4. The method of claim 3 wherein thetransmitting comprises: writing the identified message to a file, thecontents of the file encrypted using the generated key; transmitting thegenerated key to the recipient application from a keystore application,the keystore application operable to store and retrieve the plurality ofcommunication associations; reading the file and decrypting the message,by the recipient application, using the generated key.
 5. The method ofclaim 3 wherein the transmitting comprises: designating an IPC(Interprocess Communication) channel between a transmitting applicationof the trusted applications and the recipient application; encryptingthe identified message using the generated key; transmitting theencrypted message to the recipient application from the originatingapplication; and transmitting the generated key to the recipientapplication from a keystore application, the keystore applicationoperable to store and retrieve the plurality of communicationassociations.
 6. The method of claim 1 wherein detecting the attempt tocommunicate identifies file accesses, IPC accesses and network accessesfor each of the trusted applications, the trusted applications defininga set of trusted applications operable for communication only with otherapplications in the set of trusted applications exclusive of otherapplications in the memory outside the set of trusted applications. 7.The method of claim 6 wherein detecting an attempt to communicatefurther comprises wrapping the applications in the set of trustedapplications, and leaving the other applications unmodified, the wrappedapplications operable in the execution environment responsive to anunmodified operating system.
 8. The method of claim 1 further comprisingstoring the designated communication associations in an associationtable accessible by a keystore application, the keystore applicationconfigured to receive an identity of a trusted application and indicateif a communication association exists with another application in theexecution environment.
 9. The method of claim 8 wherein the associationtable includes entries, each entry having an indication of one of theapplications of the plurality of the trusted applications and anidentity of the related application to which the application maycommunicate.
 10. A computing device for providing an executionenvironment, comprising: a memory; and a processor; wherein the memoryand the processor cooperate to: load a plurality of trusted applicationsinto the memory; maintain, in the memory, a plurality of communicationassociations, wherein each communication association of the plurality ofcommunication associations comprises a first identifier for a firstapplication and a second identifier for a second application; detect anattempt to communicate with a recipient application by an originatingapplication, the recipient application being selected from the pluralityof trusted applications; searching through the plurality ofcommunication associations for a communication association comprising anidentifier of the recipient application and an identifier of theoriginating application; and upon failing to find the communicationassociation comprising the identifier of the recipient application andthe identifier of the originating application, disallowing thecommunication.
 11. The computing device of claim 10, wherein the memoryand the processor further cooperate to load at least one untrustedapplication into the execution environment, the at least one untrustedapplication being prevented from communicating with any of the trustedapplications.
 12. The computing device of claim 10 wherein the memoryand the processor further cooperate to: identify a message fortransmission between the originating application and the recipientapplication; generate a key based on the identity of the recipientapplication; transmit, using the generated key, the identified messageto the recipient application; and receive the generated key at therecipient application for decrypting the generated message.
 13. Thecomputing device of claim 12 wherein the transmitting comprises: writingthe identified message to a file, the contents of the file encryptedusing the generated key; transmitting the generated key to the recipientapplication from a keystore application, the keystore applicationoperable to store and retrieve the plurality of communicationassociations; reading the file and decrypting the message, by therecipient application, using the generated key.
 14. The computing deviceof claim 12 wherein the transmitting comprises: designating an IPC(Interprocess Communication) channel between a transmitting applicationof the trusted applications and the recipient application; encryptingthe identified message using the generated key; transmitting theencrypted message to the recipient application from the originatingapplication; and transmitting the generated key to the recipientapplication from a keystore application, the keystore applicationoperable to store and retrieve the plurality of communicationassociations.
 15. The computing device of claim 10 wherein detecting theattempt to communicate identifies file accesses, IPC accesses andnetwork accesses for each of the trusted applications, the trustedapplications defining a set of trusted applications operable forcommunication only with other applications in the set of trustedapplications exclusive of other applications in the memory outside theset of trusted applications.
 16. The computing device of claim 15wherein detecting an attempt to communicate further comprises wrappingthe applications in the set of trusted applications, and leaving theother applications unmodified, the wrapped applications operable in theexecution environment responsive to an unmodified operating system. 17.The computing device of claim 10, wherein the memory and the processorfurther cooperate to store the designated communication associations inan association table accessible by a keystore application, the keystoreapplication configured to receive an identity of a trusted applicationand indicate if a communication association exists with anotherapplication in the execution environment.
 18. The computing device ofclaim 17 wherein the association table includes entries, each entryhaving an indication of one of the applications of the plurality of thetrusted applications and an identity of the related application to whichthe application may communicate.
 19. A non-transitory computer readablemedium having stored thereon executable code for execution by aprocessor of a computing device, the executable code comprisinginstructions for: loading a plurality of trusted applications into amemory of the computing device; maintaining, in the memory, a pluralityof communication associations, wherein each communication association ofthe plurality of communication associations comprises a first identifierfor a first application and a second identifier for a secondapplication; detecting an attempt to communicate with a recipientapplication by an originating application, the recipient applicationbeing selected from the plurality of trusted applications; searchingthrough the plurality of communication associations for a communicationassociation comprising an identifier of the recipient application and anidentifier of the originating application; and upon failing to find thecommunication association comprising the identifier of the recipientapplication and the identifier of the originating application,disallowing the communication.